Reference no: EM133188123
BULGARIA: A WHOLE NATION HACKED
In July 2019, an anonymous hacker emailed Bulgarian media outlets to proclaim that they had gained access to the database of the Bulgarian tax service. As is often the case with hacks, many of the details are still unclear, but one thing stood out: this was an attack of a staggering scope. Bulgaria has a population of around 7 million people, and the Bulgarian news media reported that the hacker had gained access to the data of 5 million. Analysts quickly concluded that almost everyone who pays taxes in the country had been hacked. The precise data that were accessed is not entirely clear, but it is certain that vital information like names, addresses, data regarding income, and social security numbers had been compromised.
The incident prompted a flurry of questions in the press and online: Who did it? How did it take place-what vulnerabilities in the tax service's systems did the hacker use to gain access? Could it have been prevented? Were the Bulgarian authorities sloppy, or were their cybersecurity efforts the best that could be expected and the hack unavoidable? Most importantly, what was the impact of this hack, both for the 5 million Bulgarians whose data had been accessed and the Bulgarian authorities?
The first question has yet to be adequately answered. The Bulgarian police, undoubtedly under severe pressure to produce a suspect, briefly detained Kristiyan Boykov, a young "computer wizard" employed by a firm focusing on cybersecurity. It was believed that he had perpetrated the attack to make the point that Bulgaria needed to do more to protect its data. In 2017, he had exposed vulnerabilities in the website of the Bulgarian Ministry of Education, and he subsequently gave an interview on Bulgarian television explaining that he had exposed these flaws as a matter of "civic duty."
The then 20-year-old suspect denied all involvement and was released, though prosecutors continue to insist that he is the main culprit, conceding only that others may have been involved as well. They point to an email linked to the hack that was sent from one of the computers in Boykov's possession. When the hack took place, it was assumed to be an attack from outside the country, for the email in which the hack was announced had been sent from a Russian IP address. However, as the investigation progressed, it became clear that this IP address was simply a smokescreen and the email had in fact originated within Bulgaria.
What vulnerabilities did the hacker exploit? A final answer can only be given once a thorough investigation of the hack is concluded, but cybersecurity experts in Bulgaria quickly concluded that the attack was perpetrated through a system created to file VAT returns from outside Bulgaria. They identified it as an SQL injection, which takes place when corrupted input is fed into a system; instead of performing the tasks that it is supposed to, the system performs the orders it received through the corrupted input. SQL injections are often explained using the metaphor of a fully automated bus: it obeys the commands it gets and will halt at the right stops if it is told to, but if the commands are corrupted, the bus may, for instance, halt every three minutes whether there is a stop or not.
Could the hack have been prevented? Looking at the statistics, it becomes clear that the Bulgarian hack is not the not the only one to have been perpetrated by using an SQL injection; in 2017, as many as 20 percent of all cyberattacks were carried out by the same method. However, there are ways to protect computer systems against such an attack, and they are not complicated. One of these, is, of course, to use the right software and make sure that the patches for it are applied as soon as they become available. A powerful protection against SQL injection in particular is the use of so-called prepared statements. By using such statements, only certain input is accepted: to use the metaphor of the bus again, you cannot simply, for instance, tell the bus to stop all the time; you can only enter the name of specific streets.
As always, suspicion is a powerful protective tool in cybersecurity. When dealing with sensitive data, it is important to monitor access to the system that hosts it and, importantly, log and study unsuccessful efforts to send input (which sometimes prove to be an attempt to hack the system). It is also useful to try hacking your own system; if the Bulgarian tax service had enlisted its own "hacking squad," they would surely have found the vulnerability early on and prevented the attack.
None of these strategies were in place in Bulgaria, according to the country's cybersecurity experts. The hacker boasted of having obtained access to the system several years before the date of the actual attack, and the email announcement to the press contemptuously referred to cybersecurity in Bulgaria as a "parody" of a real one. That may be a harsh judgment, but it is true that many experts had issued the same warnings as the hacker for a long time. Indeed, several months before the tax database hack, the Commercial Registry of Bulgaria was attacked as well. After the tax hack took place, it became clear that the Commercial Registry had yet another vulnerability: anyone could gain access to thousands of social security numbers stored on the website of the Commercial Registry merely by performing a search on Google.
The scale and depth of the tax hack, however, alerts us to the fact that official databases and systems around the world have been frequently attacked. One of the most spectacular hacks of a government agency took place in February 2016, causing the Central Bank of Bangladesh to lose more than $100 million. The loss of money would have been much higher-the hackers targeted a total of around a billion dollars-but for mistakes in the wiring instructions that caused several orders to transfer money from the bank to be blocked in the United States. Investigations into the causes and perpetrators of this this hack are still ongoing.
In January 2019, Germany was shocked by one of the biggest data hacks in recent history when very personal details of major politicians (including Chancellor Angela Merkel) were published on Twitter. The German authorities immediately stressed that no really sensitive information had been accessed, but the hack was a huge embarrassment nonetheless, compounded by the fact that the data had been online for several months before their discovery. To add insult to injury, the hack had been perpetrated by a 20-year-old student using common place techniques.
The Bulgarian case, however, stands apart as the hack had targeted data from almost everyone in the country who pays taxes. But what made cybersecurity in Bulgaria particularly vulnerable-allegedly the real motivation behind the 2019 hack? To begin with, Bulgarian authorities make a distinction between critical infrastructure and non-critical databases. Critical infrastructure is mostly linked to defense facilities and systems. Bulgaria is a member of NATO, so non-members could try to gain access to Bulgarian defense systems to spy on the alliance, hence their categorization as critical. The tax databases were not considered critical and thus received less attention from the state's cybersecurity experts.
These experts are urging the Bulgarian authorities to step up their efforts to protect their data systems because the impact of such hacks is potentially devastating. Hackers often sell data to criminal gangs, and the data of tax-paying Bulgarians are especially interesting to them as they do not change quickly: people do not change houses or addresses every year and, generally speaking, their income does not fluctuate dramatically either. After the 2019 tax hack, The New York Times cited one cybersecurity expert as saying that the data obtained could easily be sold for about $200 million. The Bulgarian news media have already reported fraudulent schemes mostly targeting the elderly in the country, though it is not clear if there is a clear link with the tax hack.
Sadly, the risks will remain in place for many years to come, with two in particular standing out: credit card fraud and identity theft. According to some reports in the Bulgarian news media, the hacked income data goes as far back as 2007. It would be easy for criminals to use this data to make lists of people in Bulgaria who are more affluent and use credit cards. Fortunately, credit card use is not widespread in Bulgaria, but if criminals do succeed in perpetrating this kind of fraud, the costs for both the individual and the bank in question may be huge. There is a huge political price for the Bulgarian authorities to pay as well. Tax-paying citizens need to be sure that their data are being kept safe. Few people like paying taxes to begin with, but they should never feel that they put their financial security at risk the next time they file a tax report.
Bulgaria is a member of the European Union and must abide by the General Data Protection Regulation, a strict set of rules that obliges governments and companies to protect the privacy of citizens and clients. The tax authority was fined €3 million for the breach of data by the country's privacy watchdog. While many of the Bulgarians whose data were illegally accessed may feel that this fine is justified, experts say that this does not solve the problem: Bulgaria needs to take steps to hire more cybersecurity experts and review the security of all data systems.
However, being a member of the European Union has added another wrinkle to Bulgaria's cybersecurity problems. Cybersecurity experts are in short supply thanks to freedom of movement, as talented IT workers can easily migrate from Bulgaria to other member states of the European Union where the salaries are more competitive than what the Bulgarian government offers. This point was forcefully made by Boyko Borissov, the Prime Minister of Bulgaria, after the attack on the tax database took place. According to him, the Bulgarian state pays cybersecurity experts a monthly salary of around 1,500 Bulgarian leva (approximately €770), but in the private sector the starting salary is at least six times that amount.
Prime Minister Borissov also said that he had considered the idea of outsourcing Bulgarian cybersecurity to experts in other countries, but the costs had proven prohibitive. Aside from the troubling legal implications of giving foreigners access to the sensitive data of Bulgarian citizens, the government would have to trust that the systems of the company it had hired were safe themselves-sadly, that is not always the case. The Bulgarian government is now working on a project to form special cybersecurity unit consisting of experts who are paid well above the average Bulgarian salary.
Case Questions:
1. Identify and describe the security and control issues related to the hacking technique discussed in this case
2. What managerial issues are faced by Bulgarian civil servants in charge of cybersecurity?
3. Discuss the potential impact of the Bulgarian tax hack.
4. How can data breaches like this be prevented?